The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 25 Issue 8

Friday 14 March 2008

Contents

Wind Power Risks
Charles Wood
FBI Found to Misuse Security Letters
lynn via Dave Farber's IP
RFID hack could crack open 2 billion smart cards
Sharon Gaudin
Nasty scanner attack: AccuBasic malware
PGN
Hacking a pacemaker
Gadi Evron
More on pacemaker risks
PGN
Stopping cars with microwaves
Matthew D. Healy
It's too easy to access the "off" switch
Robert P Schaefer
UK ISPs to sell users' private browsing information
Mike Scott
TSA can't believe MacBook Air is a real laptop; owner misses flight
Paul Saffo
Deja Vu all over again
Andrew Koenig
CAPTCHA attacks
Monty Solomon
Safari "beachball" black on black
Richard A. O'Keefe
Risks of Leap Years and Dumb Digital Watches
Clive D. W. Feather
Amos Shapir
USENIX Announces Open Access to Conference Proceedings
Lionel Garth Jones
Info on RISKS (comp.risks)

Wind Power Risks

"Charles Wood" <j.charles.wood@gmail.com>
Mon, 3 Mar 2008 08:03:47 +0900
It is now becoming more common to hear of wind power caused outages. The
outages are either a loss of service because the wind has stopped blowing
or, surprisingly, because there is too much wind.

These problems were not so apparent when the percentage of wind power was
low compared to the overall capacity, and in particular to rapid response
generators such as hydro.

It seems that wind power has become too successful and the engineering
required to integrate it into different grids has lagged behind. In
particular, the correct balance is not being achieved between wind power
capacity in a region and the available replacement power sources -
transmission and local non-base load sources.

A recent outage in Texas illustrates the low wind example. An *IEEE
Spectrum* article by Peter Fairley explains the overload scenario.

The Texas outage on February 27 as reported by Reuters:
http://www.reuters.com/article/domesticNews/idUSN2749522920080228?feedType=RSS&feedName=domesticNews&rpc=22&sp=true

"Electric Reliability Council of Texas (ERCOT) said a decline in wind energy
production in west Texas occurred at the same time evening electric demand
was building as colder temperatures moved into the state.

The grid operator went directly to the second stage of an emergency plan at
6:41 PM CST (0041 GMT), ERCOT said in a statement.

System operators curtailed power to interruptible customers to shave 1,100
megawatts of demand within 10 minutes, ERCOT said. Interruptible customers
are generally large industrial customers who are paid to reduce power use
when emergencies occur."

The IEEE article on power surges from wind farms is at
http://spectrum.ieee.org/feb08/5943 and the key paragraph is this:

  Wind-farm installation in Europe grew an estimated 38 percent last year,
  up from 19 percent in 2006, bringing the total capacity to about 67
  gigawatts (roughly the equivalent of 20 to 25 standard-size nuclear power
  plants). At those rates, European grid operators report, windmill
  construction is outstripping growth in transmission capacity. The result
  is that in wind-farm-rich countries such as Germany and Denmark, high
  winds cause large and unanticipated power flows that saturate the grids of
  neighboring nations. In recent years this has forced grid operators to
  curtail scheduled transfers of power between grids. In 2008, the grid
  operators warn, the unanticipated power flows could overload lines
  anywhere from the Czech Republic to the Netherlands.


FBI Found to Misuse Security Letters (From Dave Farber's IP)

<lynn [lynn@ecgincc.com]>
Fri, 14 Mar 2008 9:36
http://www.washingtonpost.com/wp-dyn/content/article/2008/03/13/AR2008031302277.html?hpid=topnews

FBI Found to Misuse Security Letters; 2003-06 Audit Cites Probes of Citizens
Justice Department official Glenn A. Fine testifies about his probe of
national security letters. (Dennis Cook—Associated Press)

Dan Eggen, *The Washington Post*, 14 Mar 2008

The FBI has increasingly used administrative orders to obtain the personal
records of U.S. citizens rather than foreigners implicated in terrorism or
counterintelligence investigations, and at least once it relied on such
orders to obtain records that a special intelligence-gathering court had
deemed protected by the First Amendment, according to two government audits
released yesterday.

The episode was outlined in a Justice Department report that concluded the
FBI had abused its intelligence-gathering privileges by issuing
inadequately documented "national security letters" from 2003 to 2006,
after which changes were put in place that the report called sound.

A report a year ago by the Justice Department's inspector general
disclosed that abuses involving national security letters had occurred
from 2003 through 2005 and helped provoke the changes. But the report
makes it clear that the abuses persisted in 2006 and disclosed that 60
percent of the nearly 50,000 security letters issued that year by the FBI
targeted Americans.  [...]

Archives: http://www.listbox.com/member/archive/247/=now
RSS Feed: http://www.listbox.com/member/archive/rss/247/
  [See also
    http://www.reuters.com/article/topNews/idUSN0563517120080305
  PGN]


RFID hack could crack open 2 billion smart cards (Sharon Gaudin)

"Peter G. Neumann" <neumann@csl.sri.com>
Fri, 14 Mar 2008 14:43:13 PDT
Sharon Gaudin, *Computerworld*, 14 Mar 2008

A student at the University of Virginia has discovered a way to break
through the encryption code of RFID chips used in up to 2 billion smart
cards used to open doors and board public transportation systems.

Karsten Nohl, a graduate student working with two researchers based in
Germany, said the problem lies in what he calls weak encryption in the
MiFare Classic, an RFID chip manufactured by NXP Semiconductors. Now that
he's broken the encryption, Nohl said he would only need a laptop, a scanner
and a few minutes to get the cryptographic key to an RFID door lock and
create a duplicate card to open it at will.

And that, according to Ken van Wyk, principal consultant at KRvW Associates,
is a big security problem for users of the technology.

"It turns out it's a pretty huge deal," said van Wyk. "There are a lot of
these things floating around out there. Using it for building locks is the
biggy, especially when it's used in sensitive government facilities - and I
know for a fact it's being used in sensitive government facilities."

Van Wyk told Computerworld that one European country has deployed military
soldiers to guard some government facilities that use the MiFare Classic
chip in their smart door key cards. "Deploying guards to facilities like
that is not done lightly," he added. "They recognize that they have a huge
exposure. Deploying guards is expensive. They're not doing it because it's
fun. They're safeguarding their systems." He declined to identify the
European country.

Manuel Albers, a spokesman for NXP Semiconductors, said the company has
confirmed some of Nohl's findings. However, he said there are no plans to
take the popular chip off the market.

"The MiFare chip was first introduced in 1994. At the time, the security
level was very high," he said in an interview. "The 48-bit key lengths for
encryption was state of the art."

Albers added that the company has other, more secure chips in its product
portfolio these days, but the MiFare Classic is a relatively inexpensive,
entry-level chip. Anyone needing a highly secure smart card should make sure
there's layered security and not just depend on the chip's encryption, he
said.

"We have to start this discussion, really, at the level where we
differentiate between the security level the chip provides and the
additional security features an entire card provides. You're dealing with a
layered security system, like strands to a rope," said Albers, noting that
between 1 billion and 2 billion smart cards with this MiFare Classic-type
chip have been sold. "As long as there's demand for this product [and]
system integrators saying this product is good enough for their platforms,
we will continue to offer it."

Albers noted that NXP recently released MiFare Plus, which is
backward-compatible with the MiFare Classic while offering better
security. He said the company did not release the updated chip because of
Nohl's findings, but it did use some of his information when designing it.

"The problem is the card and the card reader," said Nohl. "They speak the
same cryptography language that is flawed. Both need to be replaced.  There
is a lot of infrastructure to be replaced. The encryption is not
standard. It's weak. It uses two short keys."

While Albers said "the majority" of the smart cards with this chip are used
as bus or subway cards, both van Wyke and Nohl said the real problem lies in
the cards that are used as door locks.

"I don't think people want to steal other people's bus tickets," said
Nohl. "But think about chemical waste storage buildings or military
facilities. The stakes are a lot higher. If you break in, you don't get a $2
bus ticket, but [you get] whatever is in that warehouse. These cards are
used around the world to secure high-level buildings. All these applications
will suffer as soon as somebody with criminal intent finds the details that
we have."

Nohl explained that since the MiFare Classic smart cards use a radio chip,
he can easily scan them for information. If someone came out of a building,
carrying a smart card door key, he could walk past them with a laptop and
scanner in a backpack or bag and scan their card. He also could walk past
the door and scan for data from the reader.

Once he's captured information from a smart card and the card reader on the
door, he would have enough information to find the cryptographic key and
duplicate a smart card with the necessary encryption information to open the
door.

How long would it take him to capture the necessary information? About two
minutes, he said.

Van Wyk thinks Nohl might be humble in his estimate. "He says it would take
him two minutes to crack it? Two minutes? I'd like to know what he did with
the other minute and 55 seconds," he said. "It is so easy to crack most of
that stuff . I don't think it's general to RFID, but there are a lot of RFID
implementations that haven't done this very well. You could do RFID well,
but it turns out that not many vendors are."


Nasty scanner attack: AccuBasic malware

"Peter G. Neumann" <neumann@csl.sri.com>
Wed, 12 Mar 2008 22:07:20 PDT
http://voter.engr.uconn.edu/voter/Reports_files/seeA-tamperEVoting.pdf

  In this paper we present a security assessment of the Diebold AccuVote
  Optical Scan voting terminal (AV-OS), a popular OS terminal currently in
  wide deployment anticipating the 2008 Presidential elections. The
  assessment is developed using exclusively reverse-engineering, without any
  technical specifications provided by the machine suppliers. We demonstrate
  a number of security issues that relate to the machine's proprietary
  language, called AccuBasic, that is used for reporting election results.
  While this language is thought to be benign, especially given that it is
  essentially sandboxed by the firmware to have only read access, we
  demonstrate that it is powerful enough to (i) strengthen known attacks
  against the AV-OS so that they become undetectable prior to elections (and
  thus significantly increasing their magnitude) or, (ii) to conditionally
  bias the election results to reach a desired outcome.  Given the
  discovered vulnerabilities and attacks we proceed to discuss how random
  audits can be used to validate with high confidence that a procedure
  carried out by special purpose devices such as the AV-OS has not been
  manipulated. We end with a set of recommendations for the design and
  safe-use of OS voting systems.

  During our own experimentation we found that the bytecode language offers
  a wealth of functions that can be potentially exploited by an attacker. In
  particular, we will demonstrate a time-bomb attack in which the bytecode
  checks the date and time in order to decide whether the election has
  begun. An attack utilizing such code can retain proper behavior in
  pre-election testing, in which the machine is verified by comparison with
  hand counted ballots, while behaving improperly during the actual
  election.


Hacking a pacemaker

Gadi Evron <ge@linuxbox.org>
Wed, 12 Mar 2008 03:45:19 -0500 (CDT)
Almost a year ago I gave a talk at the CCC Camp in Germany I called
"hacking the bionic man". It even made Wired, in some fashion.
http://blog.wired.com/27bstroke6/2007/08/will-the-bionic.html
http://events.ccc.de/camp/2007/Fahrplan/events/2049.en.html

In the talk, among other things such as the DNA and scripting languages,
medical doctors and reverse engineers...  was about cybernetic hacking.  I
gave some predictions, some for 2 years, others 40 years. Some again were
pure science fiction. I was wrong on the 2 years, it's here.

Today, this came up in the news (hat tip to Paul Ferguson on the funsec
mailing list):
http://www.nytimes.com/2008/03/12/business/12heart-web.html?_r=1&oref=slogin

" The threat seems largely theoretical. But a team of computer security
researchers plans to report Wednesday that it had been able to gain wireless
access to a combination heart defibrillator and pacemaker.

They were able to reprogram it to shut down and to deliver jolts of
electricity that would potentially be fatal . if the device had been in a
person. In this case, the researcher were hacking into a device in a
laboratory. "


More on pacemaker risks

"Peter G. Neumann" <neumann@csl.sri.com>
Fri, 14 Mar 2008 14:48:31 PDT
"Security and Privacy of Implantable Medical Devices," Daniel Halperin,
Thomas S. Heydt-Benjamin, Kevin Fu, Tadayoshi Kohno, and William H. Maisel,
IEEE Pervasive Computing, January 2008.
http://www.secure-medicine.org/PervasiveIMDSecurity.pdf

"Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks
and Zero-Power Defenses," Daniel Halperin, Thomas S. Heydt-Benjamin,
Benjamin Ransford, Shane S. Clark, Benessa Defend, Will Morgan, Kevin Fu,
Tadayoshi Kohno, and William H. Maisel, IEEE Symposium on Security and
Privacy, May 2008.  http://www.secure-medicine.org/icd-study/icd-study.pdf


Stopping cars with microwaves (Re: RISKS-25.07)

"Matthew D. Healy" <mdhealy@sprynet.com>
Thu, 28 Feb 2008 08:45:15 -0500 (EST)
My father has a pacemaker wired to his heart and is therefore required to
stay away from things like domestic microwave ovens.  What might happen to
him if this device were used to stop a perpetrator in his vicinity?


It's too easy to access the "off" switch.

"Schaefer, Robert P \(US SSA\)" <robert.p.schaefer@baesystems.com>
Wed, 12 Mar 2008 9:13:04 PDT
from boingboing:

Teen pranksters switch off San Francisco's electric buses
(Posted by Cory Doctorow), 11 Mar 2008

Destiny sez, "San Francisco is now stymied by 'bus tampering.' Their new
electric 'hybrid' buses have an on/off switch—which, unfortunately, 'can
be accessed easily through an unlocked panel on the outside of the bus.'
'When that happens, the drivers can't accelerate, they lose radio contact
with dispatchers and the interior lights on the buses go out.'  Teenage
pranksters then pelt the immobile buses with rocks." Link (Thanks, Destiny!)

http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2008/03/07/BAOKVF1E8.DTL&tsp=1SF


UK ISPs to sell users' private browsing information

"mike scott" <mike@scottsonline.org.uk>
Sat, 08 Mar 2008 10:20:59 -0000
Three major UK ISPs apparently are in advanced talks with a company called
Phorm, intending to let Phorm monitor all unsecured web traffic to and from
their users. The expressed intent is to offer an "improved browsing
experience" through better targeted web advertising, and anti-phishing
protection - thereby "improving" one's internet security. One, BT, has
already trialed the system.

The ISPs and Phorm are remarkably coy about the system, and Phorm in
particular appears to have offered inconsistent explanations of how it all
works. However, it does appear clear that this system provides access for a
private company to an unprecedented amount of data that even the UK
government is not permitted (at least without a court order). Phorm promise
faithfully not to record information such as bank details or telephone
numbers :-)

Phorm claim the data is summarized and anonymized; regular readers of RISKS
will I'm sure be aware that true anonymization is exceedingly difficult -
and in fact this scheme would give ready access to identities should anyone
take the trouble. Quite apart from being a breach of trust by the ISPs
involved, it appears to drive a coach, horses and a whole army through
protection offered by assorted UK legislation, including the Data Protection
Act, Computer Misuse Act, Regulation of Regulatory Powers Act, etc, etc. It
will if nothing else provide a central point for cracking to obtain
information about these ISPs' users.

The proposed system has been mentioned in passing in the media - who
regrettably seem to have accepted without further investigation Phorm's
assurances that there's no privacy issue. They've not even noticed that the
so-called "opt-out" won't stop the data scanning, just the ads.

Oh, did I forget to mention Phorm used to be 121Media, of rootkit and
PeopleOnPage fame? And involves servers outside the EU, in China in
particular? I think there's not so much a RISK, more of a CERTAINTY that
this will go pearshaped.

References:
http://www.phorm.com/isp_partners/
http://www.oix.com/index.html
http://www.badphorm.co.uk
http://www.theregister.co.uk/2008/02/29/phorm_roundup/
http://www.techdirt.com/articles/20080218/024203278.shtml
http://www.guardian.co.uk/technology/2008/mar/06/internet.privacy
  (and note that the Guardian has signed up with phorm for the
  targetted ads scheme)
http://www.theregister.co.uk/2008/02/27/bt_phorm_121media_summer_2007/
  (and so on...)

  [BTW this issue affects virginmedia, BT and talktalk in the UK - around 10
  million people iirc. Other ISPs are waiting to jump on the bandwagon.
  Talktalk seem to be backpedaling, and may be making it opt in, although
  there is still major doubt about what /exactly/ is happening.]

http://www.scottsonline.org.uk lists incoming sites blocked because of spam
mike@scottsonline.org.uk    Mike Scott, Harlow, Essex, England


TSA can't believe MacBook Air is a real laptop; owner misses flight

Paul Saffo <paul@saffo.com>
Mon, 10 Mar 2008 10:44:30 -0700
(I doubt this story is true, but still it is too good not to pass on -p)

TSA can't believe MacBook Air is a real laptop, causes owner to miss
flight; posted 10 Mar 2008 by Darren Murph
http://www.engadget.com/2008/03/10/tsa-cant-believe-macbook-air-is-a-real-laptop-causes-owner-to/

The TSA has been known to take issue with products designed in Cupertino
before, but for one particular traveler, it was Apple's thinnest laptop ever
that caused the latest holdup. Upon tossing his ultra-sleek slab of aluminum
underneath the scanner, security managed to find enough peculiarities to
remove it from the flow, pull it aside and wrangle up the owner for some
questions. Apparently, the TSA employee manning the line was flabbergasted
by the "lack of a drive" and the complete absence of "ports on the back,"
and while hordes of co-workers swarmed to investigate, the user's flight
took off on schedule. Thankfully, said owner was finally allowed to pass
through after some more in-the-know colleagues explained in painfully simple
terms what an SSD was, but the poor jet-setter most definitely paid the
price for trying to slip some of the latest and greatest under the sharp
eyes of the TSA (and cutting it close on time, of course).


Deja Vu all over again

"Andrew Koenig" <ark@acm.org>
Wed, 27 Feb 2008 12:54:54 -0500
Yet another example of a major company sending e-mail that looks like
phishing in E-mail from Paypal:

  Dear Andrew Koenig,

  Now you can pay with PayPal at all your favorite shopping sites, even when
  it's not an option at sheckout.  Use the new PayPal Plug-in to:

    * Shop securely anywhere online
    * Fill out shipping forms in 1 click.
    * Save your receipts to review anytime

  Install in seconds - download for free and start Shopping today!

The words "download for free" are a hyperlink, and when I hover the cursor
over it, I learn that it is a link to
http://email1.paypal.com/u.d?xxxxxxxx=nnn, where the x represents
various letters and digits and the n's represent digits.

So unless email1.paypal.com is somehow now part of the PayPal domain, this
appears to be a legitimate solicitation disguised as a phishing attempt.

As I remarked last time, they appear to be trying to train their customers
to fall for phishing scams.  What on earth could they be thinking?


CAPTCHA attacks

Monty Solomon <monty@roscom.com>
Mon, 10 Mar 2008 10:29:16 -0400
Yahoo's CAPTCHA Security Reportedly Broken
January 17, 2008 06:00 PM
http://www.informationweek.com/news/showArticle.jhtml?articleID=205900620

Streamlined anti-CAPTCHA operations by spammers on Microsoft Windows Live Mail
Feb 6 2008 1:37PM
http://www.websense.com/securitylabs/blog/blog.php?BlogID=171

Google's CAPTCHA busted in recent spammer tactics
Feb 22 2008 4:52PM
http://www.websense.com/securitylabs/blog/blog.php?BlogID=174


Safari "beachball" black on black

"Richard A. O'Keefe" <ok@cs.otago.ac.nz>
Fri, 7 Mar 2008 17:41:55 +1300
My G4 PowerMac was replaced by an intel-Mac this week.  I had a number of
problems, notably browsers not coping with links to PDFs.  My sysadmin fixed
all this, but we thought she hadn't, because in Safari, when you link on a
PDF link, it opens up a black window, and then while it is fetching the
document, it spins a black "daisy" that has replaced the old beachball.  If
you know it is there, you can just see it, but if you don't know to expect
it, you will never notice it.  Black information on a black background?  Not
what I'd expected from Apple.


Risks of Leap Years and Dumb Digital Watches (Brader, RISKS-25.07)

"Clive D. W. Feather" <clive@on-the-train.demon.co.uk>
Mon, 3 Mar 2008 15:04:30 +0000
On reading [Mark Brader's post], I checked to discover that my watch was a
day ahead.  But not because it wasn't the smarter kind. On the contrary, it
understands that 29 Feb occurs one year in four [almost], but was set to the
wrong year in the cycle! Perhaps you need to run this posting next year.

As a user interface risk: I haven't figured out how to find the right year
on my watch other than by cycling through the months and checking whether it
accepts February 29th then, once it does, stepping through the months again.

Clive D.W. Feather http://www.davros.org +44 20 8495 6138 clive@davros.org


Re: Risks of Leap Years and Dumb Digital Watches (RISKS-25.07)

Amos Shapir <amos083@hotmail.com>
Mon, 3 Mar 2008 17:35:56 +0200
I have 3 clocks, each of different generation, and each has its set of bugs:

* My watch is a pocket analog one, its date has to be set 5 times a year (by
turning the crown).

* My bedside clock is 1980-vintage big red LED digital (best for displaying
time at night).  It doesn't know about Feb. 29, so its date display has to
be set once every 4 years (by running around the year - it has a "fast
forward" button but no way to step down).

* The latest acquisition is an LCD clock which also shows the year number,
so it can figure out leap days; it might have a problem in 2100, if it lasts
that long.  It sets itself by listening to a radio time signal, so
theoretically it should never have to be set at all, but every now and then
it glitches and displays a wrong time, date or year; the difference is
always a power of 2 in one of the digits, which looks like it's getting the
data in some sort of BCD format, without any checksum or sanity check (which
is not news on RISKS).  I wonder how many critical installations are using
the same chip.


USENIX Announces Open Access to Conference Proceedings

Lionel Garth Jones <lgj@usenix.org>
Thu, 13 Mar 2008 13:53:15 -0700
USENIX is pleased to announce open public access to all its conference
proceedings.

This significant decision will allow universal access to some of the most
important technical research in advanced computing. In making this move
USENIX is setting the standard for open access to information, an essential
part of its mission.

USENIX could not achieve such goals without the support and dedication of
its membership. We urge you to encourage others to join USENIX.  Membership
helps us present over 20 influential conferences each year and offer open
access to the technical information presented there.

USENIX conference proceedings can be found at:
http://www.usenix.org/publications/library/proceedings/

Questions? Contact papersinfo@usenix.org.

  [This is a wonderful step in the pursuit of open access to information, PGN]

Please report problems with the web pages to the maintainer

Top